c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23/07/2024, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8.exe
Size

29KB
MD5

2ce6284e2a130c7bb5bed33844120d83
SHA1

a9238b52e534546be54ba823178270e4996bbad2
SHA256

c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8
SHA512

9e2d65694a91ca1af118527f29b70c77088664d97b87874d1f6fba013b20b588b8c5a86c6bc849e1145a703e54803e53e2124eb2324a1ec4e9b8b5352e64f61e
SSDEEP

768:AEwHupU99d2JE0jNJJ83+8zzqgTdVY9/Tq:AEwVs+0jNDY1qi/qO

Score

7^/10

persistence upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1484	services.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1500-0-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/files/0x00070000000234d6-4.dat	upx
behavioral2/memory/1484-7-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1500-13-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1484-14-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1484-19-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1484-24-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1484-26-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1500-30-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1484-31-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/files/0x000400000001e73b-41.dat	upx
behavioral2/memory/1500-87-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1484-88-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1500-147-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1484-148-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1500-151-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1484-152-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1484-157-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1500-158-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1484-159-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1500-188-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1484-189-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1484-193-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1500-192-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1500-206-0x0000000000500000-0x0000000000510200-memory.dmp	upx
behavioral2/memory/1484-207-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/1484-211-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaVM = "C:\\Windows\\java.exe"	c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Services = "C:\\Windows\\services.exe"	services.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\services.exe	c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8.exe
File opened for modification	C:\Windows\java.exe	c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8.exe
File created	C:\Windows\java.exe	c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1484	1500	c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8.exe	83
PID 1500 wrote to memory of 1484	1500	c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8.exe	83
PID 1500 wrote to memory of 1484	1500	c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8.exe	83

C:\Users\Admin\AppData\Local\Temp\c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8.exe
"C:\Users\Admin\AppData\Local\Temp\c0d5c8d7e71985db3a9fb040e14ff8643f3f180145fbb6c07ba85aec9fd517c8.exe"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1500
- C:\Windows\services.exe
  "C:\Windows\services.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZDMMIJY\ZLU29IB7.htm

Filesize
175KB

MD5
d2afcb801f1c358dc3337261912356bb

SHA1
4a2cef7889baed2f9efb826aa368a32fd2ba597e

SHA256
8dbc9d30e7062a080a9b65244d5a2d4731b7e2ffc4d0755989a71548b52e5b89

SHA512
8aec52fc6c760ac431c72ba373d67ccc7fa4c87e579dc5e0e830781afa6ef50e26dc6706947868b53f3f2368c58da1de338dfc0f7126875bad4b957c1a25945f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZDMMIJY\results[2].htm

Filesize
1KB

MD5
211da0345fa466aa8dbde830c83c19f8

SHA1
779ece4d54a099274b2814a9780000ba49af1b81

SHA256
aec2ac9539d1b0cac493bbf90948eca455c6803342cc83d0a107055c1d131fd5

SHA512
37fd7ef6e11a1866e844439318ae813059106fbd52c24f580781d90da3f64829cf9654acac0dd0f2098081256c5dcdf35c70b2cbef6cbe3f0b91bd2d8edd22ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OZDMMIJY\search[2].htm

Filesize
25B

MD5
8ba61a16b71609a08bfa35bc213fce49

SHA1
8374dddcc6b2ede14b0ea00a5870a11b57ced33f

SHA256
6aa63394c1f5e705b1e89c55ff19eed71957e735c3831a845ff62f74824e13f1

SHA512
5855f5b2a78877f7a27ff92eaaa900d81d02486e6e2ea81d80b6f6cf1fe254350444980017e00cdeecdd3c67b86e7acc90cd2d77f06210bdd1d7b1a71d262df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9325.tmp

Filesize
29KB

MD5
adc3230dbd30307938ed88c6c4d12cd1

SHA1
20e1f0f3e665d8c82ef9714855ca1b25da507e17

SHA256
ec7a7e16baafbc6b3765dac9c241bb7b34e23d214ee403b7ba58c1c207209dee

SHA512
eca9bb90a8764319a32bd292a8229b40edff3c962cf3dfade67c12ba9d1c2a83f36ca95230e53f40d55b13bbe26d5fb75c28c39f0251755cd26fca8d624a3293

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
145b463f550de1ec852fe9c286ac02e5

SHA1
93653c1a02f8dbbb2dceee942b26a0eb60a13c6a

SHA256
7f9e0a6540fa1730de40949be79e82c786f87f342a75e9e3dd5ffdc23bfbcdf6

SHA512
c3a2e5a76bb959552ebf712ccb0fc66e926ca530dc73b81e38e83cbae7cce1229f9d69ff18d3a5e71ea4a7938eb59f01ac71e9682f59b1c890cda23446fd51e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
3f5e39355281855ed712c60f3aaebada

SHA1
f1f0b51b772d71f354b79a771c6d768944fcc55c

SHA256
c666493203faf25ed62975dd779a52a5b6703a137ec162e3f583a338403ea49d

SHA512
a50cfc2373f294f20a70bb58dc9e0de8036d74f0f03265339a27dc58dc2a1c28fafbdd820ad122a26456e0c3fecf158d88c37e1070457831045d030aa6d4f78b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
77e7475b59cc97fae015471cb71c76a7

SHA1
b70d0ca510e3e69d1d0af60dc4ba155c82ba3541

SHA256
9a99879a69fdb6fc1dcb2b4be418f0050251a8c3ffdb4633044d6ace55d3241d

SHA512
89ca97289493f9c5d6269f9a4192e54c291938a343d744e45de5f870503a6e3e190bbb1d02d1df24d4ccfe2bd2e729f63cedff986122574f1524710e77ec9d8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
5f1412d7e158a175f350c2e9c2d48097

SHA1
161f72e310bd448f8c86f1c5ccaff3969dcfc350

SHA256
2ea044c526336d02996ca9f3404c250f6baa2be7999a4e06e9564d26095b366e

SHA512
6e4ea551a9ac32dff761856073a465a08f1c09e80ecaf0e22380cb8914d6783a5b9295097345cf4c77a20318db4eb70d7c8c3bcc7f390db79a577156510c764c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
a60e692a413fb4ec33e2e54589b240cb

SHA1
c944fcc752fb6508ef5215c94a2ecd82be4cce38

SHA256
5e141f2e925d3c016682ed36e4346a37feabb1093e0d991a9952d7d72b92fe9d

SHA512
df63f2ca12c72f217dab72760a8d5592848ee078929b34b3f0aacbf72dd11b9cefc19050d2af6d74f00feaeff6f3a35a29d3f1965dd8ccdd2a1ef8d73622b75d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zincite.log

Filesize
384B

MD5
673e95cbeb70e2bac39315185cecf57d

SHA1
6ab69531cbff85b3ec4f26de439ba4051314d016

SHA256
879b11c209f7a9762bdc2ea475188393e63e2a6938a1b4d69b951010258d6689

SHA512
63ac64cbd576f5b87a7783df4cdd0e7d13884ff0764e4e19205d8896c68928403410757374bc4d4b012c1940323df884d7d8eac5ce7bddafdaaa44337688aa08

Download Submit
C:\Windows\services.exe

Filesize
8KB

MD5
b0fe74719b1b647e2056641931907f4a

SHA1
e858c206d2d1542a79936cb00d85da853bfc95e2

SHA256
bf316f51d0c345d61eaee3940791b64e81f676e3bca42bad61073227bee6653c

SHA512
9c82e88264696d0dadef9c0442ad8d1183e48f0fb355a4fc9bf4fa5db4e27745039f98b1fd1febff620a5ded6dd493227f00d7d2e74b19757685aa8655f921c2

Download Submit
memory/1484-189-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-31-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-7-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-88-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-14-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-211-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-148-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-193-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-152-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-157-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-207-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-159-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-26-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-24-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1484-19-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1500-151-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1500-0-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1500-192-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1500-188-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1500-206-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1500-158-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1500-147-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1500-30-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1500-13-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download
memory/1500-87-0x0000000000500000-0x0000000000510200-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads